OpenSSH FIPS support

Roumen Petrov openssh at roumenpetrov.info
Mon Mar 13 00:50:54 AEDT 2023


Hi,

James Ralston wrote:
> On Fri, Mar 10, 2023 at 10:27 AM Joel GUITTET
> <jguittet.opensource at witekio.com> wrote:
>
> [SNIP]
>
>> Patching OpenSSH for this looks to be a massive job. Is it something
>> that is considered on your side?
> No patching of OpenSSH is required.

Reality is different .

1.) Some FIPS validated modules limit API use.
Program code must use only allowed API for cryptographic operations.

2.) Some PIPS validated modules do not include FIPS allowed algorithms.
Program code could inform cryptographic library that "custom" algorithm is allowed n FIPS mode.

3) User friendly program does not require manual configurations.
Program must detect that cryptographic module runs in FIPS mode and do not offer or to refuse use of non-FIPS allowed algorithms.
Optionally program may force cryptographic module to run in FIPS mode.


For protocol all above is part or PKIX-SSH.

Regards,
Roumen Petrov

-- 
Advanced secure shell implementation with X.509 certificate support
http://roumenpetrov.info/secsh/




More information about the openssh-unix-dev mailing list